Policy | Security | Investigation

informant

January 31, 2009

If an institution – any institution – is to maintain its reputation, it must be prepared to investigate the actions of its employees (personnel). Inevitably, allegations will arise that this or that employee embezzled, acted unethically, abused authority, laundered money, executed an unauthorized trade or simply made a mistake. Power to conduct internal investigations is critical to government agencies and for-profit corporations, as well as charity, non-profit, and educational organizations.

Modern investigations today are different from those of the past, by virtue of the presence of digital records. The sheer quantity of e-records (e-mail, text, chat or instant messages, logs, meta-data, photographs, blog comments, surveillance videos, and on and on and on) is mushrooming beyond comprehension. When an institution undertakes to audit whether a superior harassed a subordinate, an accountant misunderstood a tax liability or an administrator wrongfully tolerated a conflict of interest, a brimming corpus of electronic records can be available for examination . . . and can facilitate a just outcome. The records can shed welcome light on whether the subject of the investigation did what is claimed, or did not do it.

A case in point is an investigation at Yale University, a regular recipient of research grants from the federal government. Prosecutors alleged that academics at Yale had misallocated federal money (funds or assets) by (a) transferring grant funds to accounts that were not intended for the grants in question, and (b) paying themselves for summer activities using money from grants not earmarked for those activities.

In other words, the government claimed professors and staff played fast and loose in interpreting the purpose of specific grants.

In the face of such allegations, an institution has no choice but to cooperate with government. (Which university wants to be the subject of an adversarial police raid in search of computer records?) Yale launched a massive investigation, covering some $3 billion in grants over seven years (2000-2006). It turned over more than a million pages of documents. No doubt the massive quantity of records included email and other computer-based records. (A similar corruption probe in the 1980s could not have yielded as many records because computers and e-mail were not as pervasive then.) The college settled the matter in 2008 by agreeing to pay $7.6 million.

Although Yale admitted it had made some errors, the government granted the school a release from further liability with respect to the years that were investigated.

$7.6 million is a relatively small penalty. The university appears to have done itself three favors. First, it had retained plentiful records for many years. Second, it cooperated with the government and divulged rafts of records. Third, when the allegations first arose, Yale instituted reforms preemptively, including tighter accounting controls and improved staff training. The result was the imposition of only a small settlement payment. And as for the future, Yale remains qualified to receive grants from the government.

Had Yale produced fewer records, and displayed less transparency and less cooperation, the institution would not have fared so well.

I’ll bet the “errors” to which Yale admitted reflected past practices that had developed over decades, in an age when records were fewer and therefore government (inspectors general) had less ability to audit or investigate.

The incident teaches Yale staff (and staff at other institutions receiving federal grants) that they will be on a tighter leash for the future. A digital informant is ready to snitch on them. The super-plentiful e-records now being made about their daily activities expose them to greater review and accountability than was historically possible.

IT Administrators

Twitter

Custom Professional Training

Local ARMA Quote

"The presentation by Mr. Wright, sponsored by Messaging Architects, was engaging and provocative. He delivered insights that challenged some of our views on retaining e-mail, and definitely shattered others." - Terry Mergele, CRM, Program Chair, San Antonio ARMA.

Blogger

Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He helps tech professional firms write engagement contracts, and otherwise manage their legal liability and right to be paid. Such firms include QSAs, auditors, blockchain analysts, penetration testers and forensic investigators. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

SANS Quote

"The best professional trainer in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training

Important!

No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public education and discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.

Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

Mr. Wright's contributions to blogs, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law.

The only person responsible for Mr. Wright's words is Mr. Wright.

Mr. Wright has received money from some organizations he mentions online, such as Netmail/Messaging Architects, SANS Institute and LabMD.

Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.

Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.

Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.